Re: 2.0.0-pre2 Time?
Roy Walker wrote: > Don’t know if there is an official list of things needed to be done > before pre2? It’s been a few months, maybe time for a pre2? Pretty much, yes. There were a few bug fixes I was waiting for, but it looks pretty good. I'm traveling this week and next week, but I'll see if I can squeeze it in. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Authentication forseveral devices(severalNas-Ip-Address)
Just a couple of small corrections: Calling-Station-Id := "Dev" not Calling-Station-Id := Dev (those are strings); same for other entries. You might be able to remove that last entry - you are not going to test for "Any" in huntgroups anyway? As I understood you only want to restrict access to Dev and Prod server groups. The name of the file is in radiusd.conf, where you uncomment "files". Ivan Kalik Kalik Informatika ISP Dana 23/7/2007, "nicolas" <[EMAIL PROTECTED]> piše: >In the USERS file or Pre_Proxy_Users file ? > >Thanks ! > > >Nicolas. > >Hugh Messenger wrote: >> [EMAIL PROTECTED] said >> >>> If [ NAS-IP-Address =~ 192.168.48.* ] >>> Calling-Station-Id = Dev >>> else >>>if [ NAS-IP-Address =~ 192.168.49.* ] >>>Calling-station-id = Prod >>>else >>>Calling-station-id = Any >>>fi >>> fi >>> >> >> You might try: >> >> DEFAULT NAS-IP-Address =~ "^192\.168\.48\." >> Calling-Station-Id := Dev >> Fall-Through = 1 >> >> DEFAULT NAS-IP-Address =~ "^192\.168\.48\." >> Calling-Station-Id := Prod >> Fall-Through = 1 >> >> DEFAULT NAS-IP-Address !~ "^(192\.168\.48\.|192\.168\.49\.)" >> Calling-Station-Id := Any >> Fall-Through = 1 >> >>-- hugh >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> >> > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2.0.0-pre2 Time?
Don't know if there is an official list of things needed to be done before pre2? It's been a few months, maybe time for a pre2? Roy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different Authentication forseveral devices(severalNas-Ip-Address)
Nicolas said: > In the USERS file or Pre_Proxy_Users file ? I believe that would be the preproxy_users. BTW, I made a typo, that second DEFAULT should be for .49, not .48. > Thanks ! > > > Nicolas. -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Authentication for several devices(severalNas-Ip-Address)
In the USERS file or Pre_Proxy_Users file ? Thanks ! Nicolas. Hugh Messenger wrote: > [EMAIL PROTECTED] said > >> If [ NAS-IP-Address =~ 192.168.48.* ] >> Calling-Station-Id = Dev >> else >>if [ NAS-IP-Address =~ 192.168.49.* ] >>Calling-station-id = Prod >>else >>Calling-station-id = Any >>fi >> fi >> > > You might try: > > DEFAULT NAS-IP-Address =~ "^192\.168\.48\." > Calling-Station-Id := Dev > Fall-Through = 1 > > DEFAULT NAS-IP-Address =~ "^192\.168\.48\." > Calling-Station-Id := Prod > Fall-Through = 1 > > DEFAULT NAS-IP-Address !~ "^(192\.168\.48\.|192\.168\.49\.)" > Calling-Station-Id := Any > Fall-Through = 1 > >-- hugh > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius server Crashing
Chris Bell wrote: > Please see the attached... Thank you kindly! Or, debugging mode, as suggested in the FAQ, README, INSTALL... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.0 mysql.sql
On Mon 23 Jul 2007, Phil Mayers wrote: > On Mon, 2007-07-23 at 10:11 -0500, Hugh Messenger wrote: > > While we are on the subject of schemas (schemi?) ... > > > > Would it be worth adding some indexing to the basic sqlippool table? At > > the moment, only the 'id' is indexed, by virtue of being the primary > > key. > > > > I should imagine that even a medium sized provider could end up with > > quite large radippool tables, at a thousand or so entries for every four > > class C's. I'm just a corner shop ISP, but even I'll end up with about > > 10k entries by the time I'm done migrating everything from Funk. > > > > With 3 queries per login, 1 each for every stop, start and update, plus > > whatever work the backend provisioning is doing to check and update the > > pools, that's a lot of extra work for the db with no indexing. > > > > Also, unless there is some bizarre circumstance I haven't thought of > > where the same IP would appear twice, make FrameIPAddress a 'unique' > > index, to prevent accidentally adding the same IP twice when > > provisioning the table. > > VRFs with overlapping address space are one possible use I can think of; > handing out special IPs which redirect to "you are banned" or null route > is another. > > Don't make it unique. Do index it. I disagree. It DOES need to be unique and indexed. In the case where you are virtualising things with VRF (Which I do in production) you need to add an extra VRF key to the queries (In my case I use calledstationid) and you would adjust the index/constraints accordingly. -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 2.0 mysql.sql
On Mon, 2007-07-23 at 10:11 -0500, Hugh Messenger wrote: > While we are on the subject of schemas (schemi?) ... > > Would it be worth adding some indexing to the basic sqlippool table? At the > moment, only the 'id' is indexed, by virtue of being the primary key. > > I should imagine that even a medium sized provider could end up with quite > large radippool tables, at a thousand or so entries for every four class > C's. I'm just a corner shop ISP, but even I'll end up with about 10k > entries by the time I'm done migrating everything from Funk. > > With 3 queries per login, 1 each for every stop, start and update, plus > whatever work the backend provisioning is doing to check and update the > pools, that's a lot of extra work for the db with no indexing. > > Also, unless there is some bizarre circumstance I haven't thought of where > the same IP would appear twice, make FrameIPAddress a 'unique' index, to > prevent accidentally adding the same IP twice when provisioning the table. VRFs with overlapping address space are one possible use I can think of; handing out special IPs which redirect to "you are banned" or null route is another. Don't make it unique. Do index it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius server Crashing
On Mon 23 Jul 2007, Chris Bell wrote: > Hello All - > > A newbie I am so please be patient with me. I am a Junior Network Admin > who has unexpectedly inherited a Senior Admin position. Congrats. > I also inherited a problem with our Radius servers. Welcome to the list :-) > We are running freeradius-1.1.3-1.2.el5.i386. Our Network backup daemon > (Rancid) logs in to each network device on the hour to check for changes, > backup the configs, etc... > > The radius server crashes after a period of time. I think the Rancid > service is crashing it. When I log into the box running the radius > server, and check the running processes associated with radius, I get: > > radiusd 21873 1 0 05:01 ?00:00:05 /usr/sbin/radiusd -y > radiusd 22006 21873 0 05:41 ?00:00:00 [netstat] > radiusd 22115 21873 0 06:40 ?00:00:00 [netstat] > radiusd 22417 21873 0 07:40 ?00:00:00 [netstat] > radiusd 22612 21873 0 08:41 ?00:00:00 [netstat] > radiusd 22937 21873 0 10:41 ?00:00:00 [netstat] > root 23300 23197 0 12:14 pts/000:00:00 grep rad > > The radius server(s) are running on Centos 5 if that makes a difference. > After these "defunct" processes build up to about 10 or 12... Radius no > work. Boss get mad. heh. They tend to do that on occasion... > I've searched the net and found no answers... If the answer to my problem > is painfully obvious, please remember that I started this email with a > declaration of newbness. It looks like your copy of radius is running netstat which is not exiting/being cleaned up properly. FreeRADIUS does NOT run netstat by default, so you probably have a custom module configured and it looks like it has issues. Maybe if you share your radiusd.conf we will be able to help you further... Cheers -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP authenticiation stops working after a while
Hi everyone, I have a queer comportment on a Debian FreeRadius version The server is configured to authenticate the users (with a bind) on two identical LDAP servers through SSL. (for 802.1x authentication purposes) This works quite fine for a while (a few days) and then stops working at all untill service restart. Should this be related to a machine limitation ? A buffer overflow or so ? At the time the service stops working, about 30 LDAPS connexions are open between FreeRadius and the first LDAP server (the second one in never sollicitated) Is there a way to limit the LDAP connexions' duration and force FreeRadius to close them after this limit and open new ones (to clean its buffers) ? Any help will be appreciated. The auth mechanisms used are EAP-TTLS + PAP with SecureW2 supplicant. Best regards Vincent MAZARD DML Frane [EMAIL PROTECTED] www.dml.fr ** ATTENTION : Nouvelle adresse et nouveaux numéros de telephone ** Vous pouvez dorénavant nous joindre ou nous écrire aux coordonnées suivantes : Tél : 01 70 56 51 51 Fax : 01 70 56 51 52 Nouvelle Adresse: 7 place Marcel Rebuffat Parc d'activités de Villejust 91971 Courtaboeuf 7 cedex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different Authentication for several devices(severalNas-Ip-Address)
[EMAIL PROTECTED] said > If [ NAS-IP-Address =~ 192.168.48.* ] > Calling-Station-Id = Dev > else >if [ NAS-IP-Address =~ 192.168.49.* ] >Calling-station-id = Prod >else >Calling-station-id = Any >fi > fi You might try: DEFAULT NAS-IP-Address =~ "^192\.168\.48\." Calling-Station-Id := Dev Fall-Through = 1 DEFAULT NAS-IP-Address =~ "^192\.168\.48\." Calling-Station-Id := Prod Fall-Through = 1 DEFAULT NAS-IP-Address !~ "^(192\.168\.48\.|192\.168\.49\.)" Calling-Station-Id := Any Fall-Through = 1 -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius server Crashing
Hello All - A newbie I am so please be patient with me. I am a Junior Network Admin who has unexpectedly inherited a Senior Admin position. I also inherited a problem with our Radius servers. We are running freeradius-1.1.3-1.2.el5.i386. Our Network backup daemon (Rancid) logs in to each network device on the hour to check for changes, backup the configs, etc... The radius server crashes after a period of time. I think the Rancid service is crashing it. When I log into the box running the radius server, and check the running processes associated with radius, I get: radiusd 21873 1 0 05:01 ?00:00:05 /usr/sbin/radiusd -y radiusd 22006 21873 0 05:41 ?00:00:00 [netstat] radiusd 22115 21873 0 06:40 ?00:00:00 [netstat] radiusd 22417 21873 0 07:40 ?00:00:00 [netstat] radiusd 22612 21873 0 08:41 ?00:00:00 [netstat] radiusd 22937 21873 0 10:41 ?00:00:00 [netstat] root 23300 23197 0 12:14 pts/000:00:00 grep rad The radius server(s) are running on Centos 5 if that makes a difference. After these "defunct" processes build up to about 10 or 12... Radius no work. Boss get mad. I've searched the net and found no answers... If the answer to my problem is painfully obvious, please remember that I started this email with a declaration of newbness. Centos 5 Chris Bell Systems CONFIDENTIAL NOTICE: This email including any attachments, contains confidential information belonging to the sender. It may also be privileged or otherwise protected by work product immunity or other legal rules. This information is intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or the taking of any action in reliance on the contents of this emailed information is strictly prohibited. If you have received this email in error, please immediately notify us by reply email of the error and then delete this email immediately. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Authentication for several devices (severalNas-Ip-Address)
Moreover, i use a proxy because in the huntgroup file, i can't use a CIDR network just a Host IP. Selon [EMAIL PROTECTED]: > OK. If you devices put their IP addresses in Called-Station-Id field > there is no need to do rewrites. You can use regexp operators to > controll access as Called-Station-Id attribute is a string. > > NAS1 NAS-IP-Address == proxyIP, Called-Station-Id =~ "^192.168.48." >Dev group(s) in reply > > NAS2 NAS-IP-Address == proxyIP, Called-Station-Id =~ "^192.168.49." >Prod group(s) in reply > > Ivan Kalik > Kalik Informatika ISP > > > You can leave this out proxy IP check if all traffic comes over the > proxy. You might need to escape periods in regexp. > > Dana 23/7/2007, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> pi¹e: > > >Re-Hello ;-) > > > >I search how i can do this but i don't find... > > > >I want to do this : > > > >If NAS-IP-Address == 192.168.48.0/24 --> Rewrite Calling-station-id to "Dev" > >else > > If NAS-IP-Address == 192.168.48.0/24 --> Rewrite Calling-station-id to > "Prod" > > else > >Do nothing. > > fi > >fi > > > >I don't know how check the NAS-IP-ADDRESS attribute and rewrite an other > >attribute (Calling-Station-ID).. > > > >Thank you for your help !! > > > >NicolaS. > > > >Selon [EMAIL PROTECTED]: > > > >> Hello, > >> > >> Thank you for your help but I don't understand how you can make it. > >> > >> Here my configuration that I try: > >> > >> #Replae The Nas-Ip6address by Proxy-IP > >> attr_rewrite overwrite_nasip { > >> attribute = "NAS-IP-Address" > >> searchfor = ".*" > >> packet= packet > >> replacewith = "10.28.65.130" > >> max_matches = 1 > >> } > >> > >> # Dev Eqpt : 192.168.48.0/24 > >> attr_rewrite dev_equipment { > >> attribute = "Calling-Station-Id" > >> searchfor = ".*" > >> packet= packet > >> replacewith = "Dev" --> Replace String Dev for all Eqpts but not > for > >> 192.168.48.0/24!! > >> max_matches = 1 > >> } > >> > >> preproxy { > >> files > >> overwrite_nasip > >> dev_equipment > >> } > >> > >> Here what I want : > >> > >> 1. > >> > >> If [ NAS-IP-Address =~ 192.168.48.* ] > >> Calling-Station-Id = Dev > >> else > >>if [ NAS-IP-Address =~ 192.168.49.* ] > >>Calling-station-id = Prod > >>else > >>Calling-station-id = Any > >>fi > >> fi > >> > >> 2. > >> the proxy forwards the access-request to the radius server > >> > >> 3. > >> The radius server receives the acces-request > >>If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id == Dev ] > >> instance_openldap-Ldap-Group == CiscoDev > >>else > >> If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id = Prod ] > >> instance_openldap-Ldap-Group == CiscoProd > >> else > >> instance_openldap-Ldap-Group == CiscoOthers > >> fi > >>fi > >> > >> Thank you for your assistance > >> > >> Nicolas. > >> > >> > >> > >> > >> > >> > >> - > >> List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > >> > > > > > >- > >List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Authentication for several devices (severalNas-Ip-Address)
Called-Station-Id isn't equal to Nas-Ip-Address, it equal to the PC where I initiate telnet Connection. It's not equal to my Nas-Ip :( So, i would change the called-station-id to Nas-Ip-Adress and Nas-Ip-Address to proxy address. Any idea ? Selon [EMAIL PROTECTED]: > OK. If you devices put their IP addresses in Called-Station-Id field > there is no need to do rewrites. You can use regexp operators to > controll access as Called-Station-Id attribute is a string. > > NAS1 NAS-IP-Address == proxyIP, Called-Station-Id =~ "^192.168.48." >Dev group(s) in reply > > NAS2 NAS-IP-Address == proxyIP, Called-Station-Id =~ "^192.168.49." >Prod group(s) in reply > > Ivan Kalik > Kalik Informatika ISP > > > You can leave this out proxy IP check if all traffic comes over the > proxy. You might need to escape periods in regexp. > > Dana 23/7/2007, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> pi¹e: > > >Re-Hello ;-) > > > >I search how i can do this but i don't find... > > > >I want to do this : > > > >If NAS-IP-Address == 192.168.48.0/24 --> Rewrite Calling-station-id to "Dev" > >else > > If NAS-IP-Address == 192.168.48.0/24 --> Rewrite Calling-station-id to > "Prod" > > else > >Do nothing. > > fi > >fi > > > >I don't know how check the NAS-IP-ADDRESS attribute and rewrite an other > >attribute (Calling-Station-ID).. > > > >Thank you for your help !! > > > >NicolaS. > > > >Selon [EMAIL PROTECTED]: > > > >> Hello, > >> > >> Thank you for your help but I don't understand how you can make it. > >> > >> Here my configuration that I try: > >> > >> #Replae The Nas-Ip6address by Proxy-IP > >> attr_rewrite overwrite_nasip { > >> attribute = "NAS-IP-Address" > >> searchfor = ".*" > >> packet= packet > >> replacewith = "10.28.65.130" > >> max_matches = 1 > >> } > >> > >> # Dev Eqpt : 192.168.48.0/24 > >> attr_rewrite dev_equipment { > >> attribute = "Calling-Station-Id" > >> searchfor = ".*" > >> packet= packet > >> replacewith = "Dev" --> Replace String Dev for all Eqpts but not > for > >> 192.168.48.0/24!! > >> max_matches = 1 > >> } > >> > >> preproxy { > >> files > >> overwrite_nasip > >> dev_equipment > >> } > >> > >> Here what I want : > >> > >> 1. > >> > >> If [ NAS-IP-Address =~ 192.168.48.* ] > >> Calling-Station-Id = Dev > >> else > >>if [ NAS-IP-Address =~ 192.168.49.* ] > >>Calling-station-id = Prod > >>else > >>Calling-station-id = Any > >>fi > >> fi > >> > >> 2. > >> the proxy forwards the access-request to the radius server > >> > >> 3. > >> The radius server receives the acces-request > >>If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id == Dev ] > >> instance_openldap-Ldap-Group == CiscoDev > >>else > >> If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id = Prod ] > >> instance_openldap-Ldap-Group == CiscoProd > >> else > >> instance_openldap-Ldap-Group == CiscoOthers > >> fi > >>fi > >> > >> Thank you for your assistance > >> > >> Nicolas. > >> > >> > >> > >> > >> > >> > >> - > >> List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > >> > > > > > >- > >List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The "right" way to limit a user to one EAP Type
Artur Hecker wrote: ... >> # group "foo" must use PEAP >> DEFAULT My-Group == "foo", EAP-Type != PEAP, Auth-Type := Reject >> >> # group "bar" must use TTLS >> DEFAULT My-Group == "bar", EAP-Type != TTLS, Auth-Type := Reject > > That's my problem - I think this cannot work with tunneled methods. Try CVS head. You can have multiple virtual servers, *including* different servers for PEAP and TTLS tunnels. *Including* different virtual servers for tunneled sessions, per NAS, or per user group, or... Much better. Much easier. > ...I have > no idea how to OR these two (EAP-Type == PEAP OR EAP-MSCHAPv2), but > even that would not be satisfactory since it would allow to use brute > EAP-MSCHAPv2 without a tunnel. DEFAULT FreeRADIUS-Proxied-To != 127.0.0.1, EAP-Type == EAP-MSCHAPv2, Auth-Type := Reject > If I'm not mistaken, it would be nice to have two different > attributes like EAP-Type and EAP-Inner-Type or something OR we need > different SQL queries for the inner and the outer methods > configurable... Am I wrong? Nope. 2.0 supports that. Easily. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 2.0 mysql.sql
While we are on the subject of schemas (schemi?) ... Would it be worth adding some indexing to the basic sqlippool table? At the moment, only the 'id' is indexed, by virtue of being the primary key. I should imagine that even a medium sized provider could end up with quite large radippool tables, at a thousand or so entries for every four class C's. I'm just a corner shop ISP, but even I'll end up with about 10k entries by the time I'm done migrating everything from Funk. With 3 queries per login, 1 each for every stop, start and update, plus whatever work the backend provisioning is doing to check and update the pools, that's a lot of extra work for the db with no indexing. Also, unless there is some bizarre circumstance I haven't thought of where the same IP would appear twice, make FrameIPAddress a 'unique' index, to prevent accidentally adding the same IP twice when provisioning the table. -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Authentication for several devices (severalNas-Ip-Address)
OK. If you devices put their IP addresses in Called-Station-Id field there is no need to do rewrites. You can use regexp operators to controll access as Called-Station-Id attribute is a string. NAS1 NAS-IP-Address == proxyIP, Called-Station-Id =~ "^192.168.48." Dev group(s) in reply NAS2 NAS-IP-Address == proxyIP, Called-Station-Id =~ "^192.168.49." Prod group(s) in reply Ivan Kalik Kalik Informatika ISP You can leave this out proxy IP check if all traffic comes over the proxy. You might need to escape periods in regexp. Dana 23/7/2007, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> piše: >Re-Hello ;-) > >I search how i can do this but i don't find... > >I want to do this : > >If NAS-IP-Address == 192.168.48.0/24 --> Rewrite Calling-station-id to "Dev" >else > If NAS-IP-Address == 192.168.48.0/24 --> Rewrite Calling-station-id to "Prod" > else >Do nothing. > fi >fi > >I don't know how check the NAS-IP-ADDRESS attribute and rewrite an other >attribute (Calling-Station-ID).. > >Thank you for your help !! > >NicolaS. > >Selon [EMAIL PROTECTED]: > >> Hello, >> >> Thank you for your help but I don't understand how you can make it. >> >> Here my configuration that I try: >> >> #Replae The Nas-Ip6address by Proxy-IP >> attr_rewrite overwrite_nasip { >> attribute = "NAS-IP-Address" >> searchfor = ".*" >> packet= packet >> replacewith = "10.28.65.130" >> max_matches = 1 >> } >> >> # Dev Eqpt : 192.168.48.0/24 >> attr_rewrite dev_equipment { >> attribute = "Calling-Station-Id" >> searchfor = ".*" >> packet= packet >> replacewith = "Dev" --> Replace String Dev for all Eqpts but not for >> 192.168.48.0/24!! >> max_matches = 1 >> } >> >> preproxy { >> files >> overwrite_nasip >> dev_equipment >> } >> >> Here what I want : >> >> 1. >> >> If [ NAS-IP-Address =~ 192.168.48.* ] >> Calling-Station-Id = Dev >> else >>if [ NAS-IP-Address =~ 192.168.49.* ] >>Calling-station-id = Prod >>else >>Calling-station-id = Any >>fi >> fi >> >> 2. >> the proxy forwards the access-request to the radius server >> >> 3. >> The radius server receives the acces-request >>If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id == Dev ] >> instance_openldap-Ldap-Group == CiscoDev >>else >> If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id = Prod ] >> instance_openldap-Ldap-Group == CiscoProd >> else >> instance_openldap-Ldap-Group == CiscoOthers >> fi >>fi >> >> Thank you for your assistance >> >> Nicolas. >> >> >> >> >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Authentication for several devices (several Nas-Ip-Address)
[EMAIL PROTECTED] wrote: > I want to do this : > > If NAS-IP-Address == 192.168.48.0/24 --> Rewrite Calling-station-id to "Dev" > else > If NAS-IP-Address == 192.168.48.0/24 --> Rewrite Calling-station-id to > "Prod" > else > Do nothing. > fi > fi > > I don't know how check the NAS-IP-ADDRESS attribute and rewrite an other > attribute (Calling-Station-ID).. In what will become 2.0, it's pretty much that easy. Check out the CVS head. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.0 mysql.sql
On Mon 23 Jul 2007, Hugh Messenger wrote: > Alan DeKok said: > > Sent: Monday, July 23, 2007 9:03 AM > > To: FreeRadius users mailing list > > Subject: Re: 2.0 mysql.sql > > > > Peter Nixon wrote: > > > ok. Its fixed. I am beginning to think that for 2.0, maybe we should > > > > just > > > > > make EVERYTHING lowercase for ALL database backends. It would be one > > > > less > > > > > compatibility issue to deal with. Would anyone take issue with that? > > > (I realise it has backwards compatibility issues to MySQL on windows > > > users. Does it affect anyone else though?) > > > > I hATe ThE usE oF ExesSiVe Cap... > > Working 24*7 is RADIUS-Attribute-Land must drive you crazy! > > > Ah, the heck with it. Make it all lowercase. > > As long as we do some checking first, as Peter mentions. Make sure it's > not just MySQL on Windows which has the case issue. And as long as we > provide a simple update_case.sql to modify the tables appropriately when > upgrading to 2.x. Given that we already HAD some case issues (that you asked me to fix) I am nt sure that its a big deal. > Personally I'd be very loath to change things just for cosmetic reasons. > It's not like db col names are things we have to type very often. And the > risk of unforeseen back compat issues is very real. Well, we decided about 6 months ago that we were going to make every cosmetic change we could think of for the 2.0 release in the hope that we wouldn't need to make any more in the future :-) > The only real wrinkle for me is I'll have to run a non-standard 1.1.7 > config, as I'm about to set up 2.0 as my secondary, so I'll have 1.1.7 and > 2.0 talking to the same (case sensitive) db. No biggie, just an example > of one of those back compat issues. Oh my god it burns. Why would you do that to yourself??? :-D -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.0 mysql.sql
On Mon 23 Jul 2007, Alan DeKok wrote: > Peter Nixon wrote: > > ok. Its fixed. I am beginning to think that for 2.0, maybe we should > > just make EVERYTHING lowercase for ALL database backends. It would be > > one less compatibility issue to deal with. Would anyone take issue with > > that? (I realise it has backwards compatibility issues to MySQL on > > windows users. Does it affect anyone else though?) > > I hATe ThE usE oF ExesSiVe Cap... > > Ah, the heck with it. Make it all lowercase. Done :-) -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Authentication for several devices (several Nas-Ip-Address)
Re-Hello ;-) I search how i can do this but i don't find... I want to do this : If NAS-IP-Address == 192.168.48.0/24 --> Rewrite Calling-station-id to "Dev" else If NAS-IP-Address == 192.168.48.0/24 --> Rewrite Calling-station-id to "Prod" else Do nothing. fi fi I don't know how check the NAS-IP-ADDRESS attribute and rewrite an other attribute (Calling-Station-ID).. Thank you for your help !! NicolaS. Selon [EMAIL PROTECTED]: > Hello, > > Thank you for your help but I don't understand how you can make it. > > Here my configuration that I try: > > #Replae The Nas-Ip6address by Proxy-IP > attr_rewrite overwrite_nasip { > attribute = "NAS-IP-Address" > searchfor = ".*" > packet= packet > replacewith = "10.28.65.130" > max_matches = 1 > } > > # Dev Eqpt : 192.168.48.0/24 > attr_rewrite dev_equipment { > attribute = "Calling-Station-Id" > searchfor = ".*" > packet= packet > replacewith = "Dev" --> Replace String Dev for all Eqpts but not for > 192.168.48.0/24!! > max_matches = 1 > } > > preproxy { > files > overwrite_nasip > dev_equipment > } > > Here what I want : > > 1. > > If [ NAS-IP-Address =~ 192.168.48.* ] > Calling-Station-Id = Dev > else >if [ NAS-IP-Address =~ 192.168.49.* ] >Calling-station-id = Prod >else >Calling-station-id = Any >fi > fi > > 2. > the proxy forwards the access-request to the radius server > > 3. > The radius server receives the acces-request >If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id == Dev ] > instance_openldap-Ldap-Group == CiscoDev >else > If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id = Prod ] > instance_openldap-Ldap-Group == CiscoProd > else > instance_openldap-Ldap-Group == CiscoOthers > fi >fi > > Thank you for your assistance > > Nicolas. > > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 2.0 mysql.sql
Alan DeKok said: > Sent: Monday, July 23, 2007 9:03 AM > To: FreeRadius users mailing list > Subject: Re: 2.0 mysql.sql > > Peter Nixon wrote: > > ok. Its fixed. I am beginning to think that for 2.0, maybe we should > just > > make EVERYTHING lowercase for ALL database backends. It would be one > less > > compatibility issue to deal with. Would anyone take issue with that? (I > > realise it has backwards compatibility issues to MySQL on windows users. > > Does it affect anyone else though?) > > I hATe ThE usE oF ExesSiVe Cap... Working 24*7 is RADIUS-Attribute-Land must drive you crazy! > Ah, the heck with it. Make it all lowercase. As long as we do some checking first, as Peter mentions. Make sure it's not just MySQL on Windows which has the case issue. And as long as we provide a simple update_case.sql to modify the tables appropriately when upgrading to 2.x. Personally I'd be very loath to change things just for cosmetic reasons. It's not like db col names are things we have to type very often. And the risk of unforeseen back compat issues is very real. The only real wrinkle for me is I'll have to run a non-standard 1.1.7 config, as I'm about to set up 2.0 as my secondary, so I'll have 1.1.7 and 2.0 talking to the same (case sensitive) db. No biggie, just an example of one of those back compat issues. > Alan DeKok. -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.0 mysql.sql
Peter Nixon wrote: > ok. Its fixed. I am beginning to think that for 2.0, maybe we should just > make EVERYTHING lowercase for ALL database backends. It would be one less > compatibility issue to deal with. Would anyone take issue with that? (I > realise it has backwards compatibility issues to MySQL on windows users. > Does it affect anyone else though?) I hATe ThE usE oF ExesSiVe Cap... Ah, the heck with it. Make it all lowercase. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Encrypt password with EAP auth
Lubomír Vogl wrote: > I use Freeradius as authenticator for our wireless Windows XP users. I > successfuly configure communication and users can authenticate (eap module). > I use MySql database where I store username and params. > > I want to use our existing database of users but our database uses function > ENCRYPT() (in MySQL) to store user password. > I can't configure freeradius to use this encrypted password. Can you help me ? No. It's impossible. http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Encrypt password with EAP auth
http://deployingradius.com/documents/protocols/compatibility.html You won't be able to use crypt with MSCHAPv2. Ivan Kalik Kalik Informatika ISP Dana 23/7/2007, "Lubomír Vogl" <[EMAIL PROTECTED]> piše: > >Hi, > >I use Freeradius as authenticator for our wireless Windows XP users. I >successfuly configure communication and users can authenticate (eap module). >I use MySql database where I store username and params. > >I want to use our existing database of users but our database uses function >ENCRYPT() (in MySQL) to store user password. >I can't configure freeradius to use this encrypted password. Can you help me ? > >Lubomir Vogl >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS session resumption
El hadi Iskander wrote: > I wonder if Freeradius V1.1.3-2 supports TTLS session resumption and if > yes how to configure that ? No. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The "right" way to limit a user to one EAP Type
Replying to myself - here comes a possible resolution for this 'EAP- Type restriction per user/group' thread: A possible solution is to restrict EAP-Type but by using a different operator (man 5 users): "EAP-Type += " where method is one of (instead of ":=" for tunneled methods ; for non tunneled methods I think both should be fine). I tested it: with a MySQL backend, a user configured as EAP-Type += PEAP could use PEAP-MSChapv2 but not TTLS-PAP, while a user configured EAP-Type += EAP-TTLS could use TTLS-PAP but not PEAP. rlm/ eap - freeradius correctly reported "client wants to ttls, while we require peap, rejecting the user" (or vice versa). Not sure it is the intended way, so I hope the behaviour won't change in the next release. But it works. Greetings and thanks artur On 23 Jul 2007, at 13:14, Artur Hecker wrote: > Hi > > > On 23 Jul 2007, at 11:21, Phil Mayers wrote: > >> On Mon, 2007-07-23 at 10:20 +0200, Artur Hecker wrote: >>> Hello >>> >>> >>> In the default configuration, if a User-Password is defined for a >>> user, the user can be authenticated by all applicable authentication >>> types. That is the sense and the beauty of the default >>> configuration :-) >>> >>> However, in a practical deployment, a serious security policy is >>> likely to state the contrary: every user (or usergroup) should be >>> authenticated by exactly one authentication method. >> >> Why? >> >> Surely a method is either secure (in which case you'd let people >> use it) >> or insecure (in which case you'd let no-one use it)? >> >> I would consider our deployment "practical" (>20k users, almost 400 >> APs) >> and we don't care what method they use, as long as it's secure and >> generates keys. > > As I said, it is the matter of security policy, I cannot discuss it, > for it is not an opinion :-) > > What you say does make sense to me, but on the other hand I still do > not see why it should be possible to authenticate a user by more than > one method. From what you are saying, one would conclude that only > one method should be used for all users. But very often it depends on > the security level of the user group and the trust you have in user > capabilities (-> security policy...) > > I can give you real-world examples, which will certainly lead to > further discussions. > > Case 1: To accelerate deployment, company A considers that PEAP- > MSCHAPv2 should be used by all users not having a certificate. It had > the advantage to work immediately (say against internal AD with NTLM > or SQL, etc). However, user certificates are being issued over the > time period - for the same user identity. The point thus is to > prevent users who have obtained the certificates from keeping on > using old style password auth. > > Case 2: some "important users" still use TTLS-PAP but everybody > should use PEAP-MSCHAP-v2. You cannot deactivate TTLS-PAP even if you > consider it not good enough. You don't want others to use it though. > > Case 3: different backends are available, each storing a part of > users with password in clear and in hash forms. Needless to say, some > users are stored in both... Wireless admins have no power on these. > Thus, TTLS-PAP and PEAP-MSCHAPv2 are used interchangeably, in some > times by the same user, even if you feel like TTLS-PAP is less secure. > > And it goes on and on, even with EAP-MD5 in wired... Just don't take > the examples literally. What I am saying is that, very often, such > situations are linked to internal company processes, to compatibility > concerns, etc., sometimes you cannot deactivate an authentication > method for administrative reasons but you would like to restrain its > use as far as possible, etc. > > >>> What is the "right" (recommended) way to do it? Could not find >>> anything on that in Wiki. (Would be glad to add it, when finished). >> >> Do you want to restrict everyone to a single EAP type, or different >> people/groups to different EAP types? > > an EAP type per group and/or user. > > >>> Background: I used to restrict users by explicitly setting for them >>> (their group) EAP-Type := something, according to the user profile. >>> However, as of 1.1.6, my wireless PEAP(-MSCHAPv2) user >>> authentication >>> does not work anymore as before: the inner PEAP authentication fails >>> with "cannot tunnel TLS in TLS", most probably since the authorize >>> module (sql) sets EAP-Type := PEAP. It *may* be just me though. >> >> Yeah, don't do that. Have something like: >> >> authorize { >> preprocess >> eap >> files >> } >> >> in "users": >> >> # group "foo" must use PEAP >> DEFAULT My-Group == "foo", EAP-Type != PEAP, Auth-Type := Reject >> >> # group "bar" must use TTLS >> DEFAULT My-Group == "bar", EAP-Type != TTLS, Auth-Type := Reject > > That's my problem - I think this cannot work with tunneled methods. > > I think that with this config the user will be rejected whenever the > inner method has to check the password (the type is not
Windows AD cleartext LDAP in 5 minutes
Once again FR "just works". :-) I decided to try LDAP for my clear text PAP authentication against an Active Directory (so I can get rid of PAM/winbind). Having read so many horror stories from people trying to do this, I expected it to be problematic. It took exactly 5 minutes to get it working. So I thought I'd share the details for anyone else googling around for this topic. There's lots of stuff about Windows AD using ntlm_auth for MS-CHAP out there, but very little about clear text using LDAP (that I could find). The only changes from the out-of-box config I needed to get it working were: modules { ... ldap { ... server = somehost.somedomain.com identity = " CN=someuser,CN=Users,DC=somedomain,DC=com " password = somepassword basedn = "CN=Users,DC=somedomain,DC=com" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=people)" ... } ... } authorize { ... ldap ... } authenticate { ... ldap ... } Notes: The 'ldap' must appear in the authorize and authenticate sections somewhere BEFORE 'pap'. Windows AD uses 'sAMAccountName' instead of 'uid' in the filter. You have to provide a valid identity and password, it won't work with anonymous binding. The filter spec above is in FR 2.x format, in 1.x you need to strip one set of %{} out thusly: filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" I'll no doubt ratchet the basedn down to a more specific domain group and play with the user and group profile stuff now I have it working, but those changes got me going. -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The "right" way to limit a user to one EAP Type
Hi On 23 Jul 2007, at 11:21, Phil Mayers wrote: > On Mon, 2007-07-23 at 10:20 +0200, Artur Hecker wrote: >> Hello >> >> >> In the default configuration, if a User-Password is defined for a >> user, the user can be authenticated by all applicable authentication >> types. That is the sense and the beauty of the default >> configuration :-) >> >> However, in a practical deployment, a serious security policy is >> likely to state the contrary: every user (or usergroup) should be >> authenticated by exactly one authentication method. > > Why? > > Surely a method is either secure (in which case you'd let people > use it) > or insecure (in which case you'd let no-one use it)? > > I would consider our deployment "practical" (>20k users, almost 400 > APs) > and we don't care what method they use, as long as it's secure and > generates keys. As I said, it is the matter of security policy, I cannot discuss it, for it is not an opinion :-) What you say does make sense to me, but on the other hand I still do not see why it should be possible to authenticate a user by more than one method. From what you are saying, one would conclude that only one method should be used for all users. But very often it depends on the security level of the user group and the trust you have in user capabilities (-> security policy...) I can give you real-world examples, which will certainly lead to further discussions. Case 1: To accelerate deployment, company A considers that PEAP- MSCHAPv2 should be used by all users not having a certificate. It had the advantage to work immediately (say against internal AD with NTLM or SQL, etc). However, user certificates are being issued over the time period - for the same user identity. The point thus is to prevent users who have obtained the certificates from keeping on using old style password auth. Case 2: some "important users" still use TTLS-PAP but everybody should use PEAP-MSCHAP-v2. You cannot deactivate TTLS-PAP even if you consider it not good enough. You don't want others to use it though. Case 3: different backends are available, each storing a part of users with password in clear and in hash forms. Needless to say, some users are stored in both... Wireless admins have no power on these. Thus, TTLS-PAP and PEAP-MSCHAPv2 are used interchangeably, in some times by the same user, even if you feel like TTLS-PAP is less secure. And it goes on and on, even with EAP-MD5 in wired... Just don't take the examples literally. What I am saying is that, very often, such situations are linked to internal company processes, to compatibility concerns, etc., sometimes you cannot deactivate an authentication method for administrative reasons but you would like to restrain its use as far as possible, etc. >> What is the "right" (recommended) way to do it? Could not find >> anything on that in Wiki. (Would be glad to add it, when finished). > > Do you want to restrict everyone to a single EAP type, or different > people/groups to different EAP types? an EAP type per group and/or user. >> Background: I used to restrict users by explicitly setting for them >> (their group) EAP-Type := something, according to the user profile. >> However, as of 1.1.6, my wireless PEAP(-MSCHAPv2) user authentication >> does not work anymore as before: the inner PEAP authentication fails >> with "cannot tunnel TLS in TLS", most probably since the authorize >> module (sql) sets EAP-Type := PEAP. It *may* be just me though. > > Yeah, don't do that. Have something like: > > authorize { > preprocess > eap > files > } > > in "users": > > # group "foo" must use PEAP > DEFAULT My-Group == "foo", EAP-Type != PEAP, Auth-Type := Reject > > # group "bar" must use TTLS > DEFAULT My-Group == "bar", EAP-Type != TTLS, Auth-Type := Reject That's my problem - I think this cannot work with tunneled methods. I think that with this config the user will be rejected whenever the inner method has to check the password (the type is not PEAP -> Reject). I'm not sure since this explicit reject does not work with an SQL backend. But I already tried the inverse logics "EAP-Type == PEAP" instead. SQL starts by saying "no matching entry in the database [...]", I guess since it does not find EAP-Type set to PEAP in the first request. In the given situation (PEAP by default), that's fine for the tunnel to start. It even finds the matching rows during the requests in between. But, as I said, it fails when it comes to the inner MSCHAPv2 check of the received response: it repeats "no matching entry in the database" and concludes "no User-Password" - because the type in the inner method is set to EAP-MSCHAPv2. I have no idea how to OR these two (EAP-Type == PEAP OR EAP-MSCHAPv2), but even that would not be satisfactory since it would allow to use brute EAP-MSCHAPv2 without a tunnel. If I'm not mistaken, it would be nice to have two different attributes lik
Encrypt password with EAP auth
Hi, I use Freeradius as authenticator for our wireless Windows XP users. I successfuly configure communication and users can authenticate (eap module). I use MySql database where I store username and params. I want to use our existing database of users but our database uses function ENCRYPT() (in MySQL) to store user password. I can't configure freeradius to use this encrypted password. Can you help me ? Lubomir Vogl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
ldapsearch -vvv -H ldap://nw1.system.wifi -x -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta" ldap_initialize( ldap://nw1.system.wifi ) ldap_start_tls: Connect error (-11) ldap_result: Can't contact LDAP server (-1) [EMAIL PROTECTED]:/etc/freeradius/certs# And works without -Z :( Can it have something to do with our IP-change after we installed the novell / novellCA ? Its the correct ip to the server, but can the CA/certificate take damage in a IP-change? (The root-cert is exported AFTER the IP-change, but the CA-services was installed BEFORE the change). The hosts-file seems to be needed cause else i dont think that the linux-freeradius can map the nw1.system.wifi to an IP. /Mr G >From: "Jorgen Rosink" <[EMAIL PROTECTED]> >Reply-To: FreeRadius users mailing list > >To: "FreeRadius users mailing list" >Subject: Re: TLS cant connect ldap+freeradius+novell >Date: Mon, 23 Jul 2007 12:39:58 +0200 > >On 7/23/07, Jorgen Rosink <[EMAIL PROTECTED]> wrote: > > On 7/23/07, Martin G <[EMAIL PROTECTED]> wrote: > > > > > If thats some kind of help!? > > > > There's a step-by-step howto on the Novell site: > > > > http://www.novell.com/documentation/edir_radius/index.html > > > > The section: > > > > Configuring the FreeRADIUS Server to Integrate with eDirectory -> > > Modifying the LDAP Module > > > > seems pretty self-explainary, follow the instructions, they do work ! > > > > Try to understand the difference between TLS and SSL, > > http://en.wikipedia.org/wiki/Transport_Layer_Security, this makes > > debugging the encryption stuff much easier. > > > > Good luck ! > >Ow, I forgot to say this: > >* You're connecting to the LDAP server with an IP address: > >URI ldap://10.10.0.11 ldap://10.10.0.11 > >* But the LDAP server is using a DNS based certificate: > >"Transport Layer Security (TLS / SSL)" >Server Certificate:"SSL CertificateDNS" > > >Try to change that one to "SSL CertificateIP" or connect to LDAP from >FreeRadius with a FQDN, don't care about host files. Certificate >validation doesn't care about host files, it cares about the Common >Name... >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
Iv tried to follow that guide. Iv got the Imanager on the same server as the RADIUS iManager plug-in and then by default iManager is configurated with SSL/TLS. But it still dont answers my questions from the linux-computer who does ldapsearch s, exept when i do it uncrypted. /Mr G >From: "Jorgen Rosink" <[EMAIL PROTECTED]> >Reply-To: FreeRadius users mailing list > >To: "FreeRadius users mailing list" >Subject: Re: TLS cant connect ldap+freeradius+novell >Date: Mon, 23 Jul 2007 12:30:06 +0200 > >On 7/23/07, Martin G <[EMAIL PROTECTED]> wrote: > > > If thats some kind of help!? > >There's a step-by-step howto on the Novell site: > >http://www.novell.com/documentation/edir_radius/index.html > >The section: > >Configuring the FreeRADIUS Server to Integrate with eDirectory -> >Modifying the LDAP Module > >seems pretty self-explainary, follow the instructions, they do work ! > >Try to understand the difference between TLS and SSL, >http://en.wikipedia.org/wiki/Transport_Layer_Security, this makes >debugging the encryption stuff much easier. > >Good luck ! >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
On 7/23/07, Jorgen Rosink <[EMAIL PROTECTED]> wrote: > On 7/23/07, Martin G <[EMAIL PROTECTED]> wrote: > > > If thats some kind of help!? > > There's a step-by-step howto on the Novell site: > > http://www.novell.com/documentation/edir_radius/index.html > > The section: > > Configuring the FreeRADIUS Server to Integrate with eDirectory -> > Modifying the LDAP Module > > seems pretty self-explainary, follow the instructions, they do work ! > > Try to understand the difference between TLS and SSL, > http://en.wikipedia.org/wiki/Transport_Layer_Security, this makes > debugging the encryption stuff much easier. > > Good luck ! Ow, I forgot to say this: * You're connecting to the LDAP server with an IP address: URI ldap://10.10.0.11 ldap://10.10.0.11 * But the LDAP server is using a DNS based certificate: "Transport Layer Security (TLS / SSL)" Server Certificate:"SSL CertificateDNS" Try to change that one to "SSL CertificateIP" or connect to LDAP from FreeRadius with a FQDN, don't care about host files. Certificate validation doesn't care about host files, it cares about the Common Name... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
Ok, sounds good. I run Netware v 5.70.33 and that seems to have edirectory version 8.7.3.x I got a tab on novell with Ldap-connection. "Transport Layer Security (TLS / SSL)" Server Certificate:"SSL CertificateDNS" Client Certificate: **Not Requested** / Requested / Required Trusted Root Containers: TRUSTrootOU.Security ( ) Require TLS for all operations (not checked) ( ) Enable and require mutual authentication (not checked) Ports (x) Enable Encrypted Port Port: 636 (x) Enable Non-Encrypted Port Port: 389 If thats some kind of help!? /Mr G From: "Jorgen Rosink" <[EMAIL PROTECTED]> Reply-To: FreeRadius users mailing list To: "FreeRadius users mailing list" Subject: Re: TLS cant connect ldap+freeradius+novell Date: Mon, 23 Jul 2007 11:47:45 +0200 On 7/23/07, Martin G <[EMAIL PROTECTED]> wrote: > I connected to the novell-server and inspected what ports the ldap used and > its running on unencrypted 389 and encrypted port 636. > > My ldapconf now looks like: > BASE: ou=adm,ou=malmo,o=wifi > URI ldap://10.10.0.11 ldap://10.10.0.11 > TLS_CACERT /etc/freeradius/certs/WIFITREE_CA.pem > TLS_REQCERT demand > ldap_version 3 > port 636 > ssl start_tls > ssl on You're trying to use "start_tls", TLS connections are started on the (unencrypted) port 389 and are "upgraded" to a secure connection on the same port. So probably you don't have TLS support with your LDAP server (you need at least eDirectory 8.7 for what I know). Learn your LDAP server to talk TLS (by upgrading it), or initiate connections on the SSL port (636) and not the TLS one... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Need a brain boost? Recharge with a stimulating game. Play now! http://club.live.com/home.aspx?icid=club_hotmailtextlink1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
On 7/23/07, Martin G <[EMAIL PROTECTED]> wrote: > If thats some kind of help!? There's a step-by-step howto on the Novell site: http://www.novell.com/documentation/edir_radius/index.html The section: Configuring the FreeRADIUS Server to Integrate with eDirectory -> Modifying the LDAP Module seems pretty self-explainary, follow the instructions, they do work ! Try to understand the difference between TLS and SSL, http://en.wikipedia.org/wiki/Transport_Layer_Security, this makes debugging the encryption stuff much easier. Good luck ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.0 mysql.sql
On Fri 20 Jul 2007, Hugh Messenger wrote: > Peter - a couple of things about the MySQL stuff: > > 1) I just noticed that the ./docs/examples/mysql.sql schema in the 2.0 > HEAD doesn't look right: > > # > # Table structure for table 'radippool' > # > CREATE TABLE radippool ( > idint(11) unsigned NOT NULL auto_increment, > pool_name varchar(30) NOT NULL, > FramedIPAddress varchar(15) NOT NULL default , > NASIPAddress varchar(15) NOT NULL default , > CalledStationId VARCHAR(30) NOT NULL, > CallingStationID VARCHAR(30) NOT NULL, > expiry_time DATETIME NOT NULL default '-00-00 00:00:00', > username varchar(64) NOT NULL default , > pool_key varchar(30) NOT NULL, > PRIMARY KEY (id) > ); > > Note the missing default values. The 1.1.7 branch has a more correct > looking version. Ahh, yes. I caught and fixed this in 1.1.7 and forgot HEAD.. Grrr.. I hate working on multiple branches :-( > 2) Also, I just noticed in the 2.0 mysql-ippool-dialup.conf, the > allocate-clear query has ... > > allocate-clear = "UPDATE ${ippool_table} \ > SET NASIPAddress = '', pool_key = 0, \ > CallingStationID = '', username = '', \ > expiry_time = '-00-00 00:00:00' \ > WHERE expiry_time <= NOW() - INTERVAL 1 SECOND > AND nasipaddress = '%{Nas-IP-Address}'" > > Note the lower case 'nasipaddress'. Pretty please for to remember that > MySQL on Windows is cASe SenSITiVe when it comes to column names. Well, > by default. Yes, one can make the names case insensitive, but that can > cause problems. > > And yeah, there aren't many of us using MySQL on Windows behind FR, but I > happen to be one of them. Don't ask. :) > > FYI, slippool.conf in 1.1.7 has the correct case-ification. ok. Its fixed. I am beginning to think that for 2.0, maybe we should just make EVERYTHING lowercase for ALL database backends. It would be one less compatibility issue to deal with. Would anyone take issue with that? (I realise it has backwards compatibility issues to MySQL on windows users. Does it affect anyone else though?) Cheers -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help: How to configure attribute based on Access-Challenge in Server?
Hi, Can we configure the attributes based on Access-Code(Access-Challenge/Access-Accept)? i.e If I want to send the Reply-Message only in Access-Challenge but not in Access-Accept, How can I do that? -- With Regards, Govardhana K N - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
On 7/23/07, Martin G <[EMAIL PROTECTED]> wrote: > I connected to the novell-server and inspected what ports the ldap used and > its running on unencrypted 389 and encrypted port 636. > > My ldapconf now looks like: > BASE: ou=adm,ou=malmo,o=wifi > URI ldap://10.10.0.11 ldap://10.10.0.11 > TLS_CACERT /etc/freeradius/certs/WIFITREE_CA.pem > TLS_REQCERT demand > ldap_version 3 > port 636 > ssl start_tls > ssl on You're trying to use "start_tls", TLS connections are started on the (unencrypted) port 389 and are "upgraded" to a secure connection on the same port. So probably you don't have TLS support with your LDAP server (you need at least eDirectory 8.7 for what I know). Learn your LDAP server to talk TLS (by upgrading it), or initiate connections on the SSL port (636) and not the TLS one... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
Iv now got the "10.10.0.11 nw1.system.wifi" in my /etc/hosts file. I logged on to the novell-server and paged me to the ldap-connections-page. The server uses 389 for unencrypted connections and 636 for encrypted connections with ldap. When i use: openssl s_client -connect 10.10.0.11:636 -showcerts -debug -msg -state I get very very much information.. anything i shall look for !? maby attach as a file here!? When i use: openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state -starttls pop3 I get: CONNECTED(0003) and nothing more. When i use: openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state -starttls smtp I get the same "CONNECTED(0003). Any useful information!? Seems like it can connect on both the ports. /Mr G >From: "Reimer Karlsen-Masur, DFN-CERT" <[EMAIL PROTECTED]> >Reply-To: FreeRadius users mailing list > >To: FreeRadius users mailing list >Subject: Re: TLS cant connect ldap+freeradius+novell >Date: Fri, 20 Jul 2007 11:14:46 +0200 > > >Martin G wrote: > > Iv found the following on the novellserver (CA-service): > > Distinguished name: WIFITREE CA.Security > > Host server: NW1.SYSTEM.WIFI > >Well this looks like the novell ldap server certifivate. > > > "NW1" would be the servername and "NW1.SYSTEM.WIFI" the FQDN? > >Yes. > > > I added the info in all kinds of sorts in my hosts-file to the novell-ip >on > > the linux-server but still no progress :( Still: > >Put > >10.10.0.11 nw1.system.wifi > >into the /etc/hosts file > > > ldapsearch -vvv -h NW1.SYSTEM.WIFI wifi -x -Z -b ou=adm,ou=malmo,o=wifi > > "cn=lotta" > > ldap_initialize( ldap://wifi ) > > ldap_start_tls: Connect error (-11) > > additional info: TLS: hostname does not match CN in peer >certificate > > filter: cn=lotta > > requesting: All userApplication attributes > > > > Any good idea!? > >Does your ldap server do ldaps on e.g. port 636? > >To get the ldap server certificate and mybe the CA chain validating this >certificate you could try > ># openssl s_client -connect 10.10.0.11:636 -showcerts -debug -msg -state > >If your ldap server does not do ldaps try > ># openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state >-starttls pop3 > >or > ># openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state >-starttls smtp > >I expect this does not work since openssl s_client does not (yet) support >starttls option with ldap protocol. But give it a whirl, maybe you get back >something useful. > >Or enable ldaps on port 636 on your ldap server and try the top most >openssl command from this mail. > >-- >Beste Gruesse / Kind Regards > >Reimer Karlsen-Masur > >DFN-PKI FAQ: https://www.pki.dfn.de/faqpki >-- >Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 >DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 >Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 ><< smime.p7s >> >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
Hello! I exported the .b64 and used a program do decrypt the .b64 into a .pem and put it in my /etc/freeradius/certs/WIFITREE_CA.pem then edited the /etc/ldap/ldap.conf /etc/ldap/slapd.conf and /etc/freeradius/radius.conf to point at the new .pem cert. I connected to the novell-server and inspected what ports the ldap used and its running on unencrypted 389 and encrypted port 636. My ldapconf now looks like: BASE: ou=adm,ou=malmo,o=wifi URI ldap://10.10.0.11 ldap://10.10.0.11 TLS_CACERT /etc/freeradius/certs/WIFITREE_CA.pem TLS_REQCERT demand ldap_version 3 port 636 ssl start_tls ssl on -- when i use the line ldapsearch -vvv -H ldap://10.10.0.11 -x -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta" i recieve: ldap_initialize( ldap://10.10.0.11 ) ldap_start_tls: Connect error (-11) ldap_result: Can't contact LDAP server (-1) But if i take away the -Z attribute, i get: ldapsearch -vvv -H ldap://10.10.0.11 -x -b ou=adm,ou=malmo,o=wifi "cn=lotta" ldap_initialize( ldap://10.10.0.11 ) filter: cn=lotta requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base with scope subtree # filter: cn=lotta # requesting: ALL # # lotta, ADM, MALMO, WIFI dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI zenzfdVersion:: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48QWdlbnREYX RhPjxWZXJzaW9uPjQuMC4xLjU5PC9WZXJzaW9uPjxWZXJX0ZVRpbWU+MTE0OTUwMTY4MjwvVmV yV3JpdGVUaW1lPjwvQWdlbnREXRhPg== zenpolPolicy: cn=UserZenPolPackage,ou=ZEN,o=WIFI#0#zenUserPackage sasDefaultLoginSequence: --No default-- uid: lotta givenName: lotta fullName: lotta whatever Language: ENGLISH sn: whatever passwordUniqueRequired: FALSE passwordRequired: TRUE passwordMinimumLength: 5 passwordExpirationTime: 20070815131928Z passwordExpirationInterval: 3456000 passwordAllowChange: TRUE objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: Person objectClass: ndsLoginProperties objectClass: Top objectClass: radiusprofile loginTime: 20070723095349Z loginGraceRemaining: 6 loginGraceLimit: 6 cn: lotta ACL: 2#subtree#cn=lotta,ou=ADM,ou=MALMO,o=WIFI#[All Attributes Rights] ACL: 6#entry#cn=lotta,ou=ADM,ou=MALMO,o=WIFI#loginScript ACL: 2#entry#[Public]#messageServer ACL: 2#entry#[Root]#groupMembership ACL: 6#entry#cn=lotta,ou=ADM,ou=MALMO,o=WIFI#printJobConfiguration ACL: 2#entry#[Root]#networkAddress # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 im not very good at certificates or ldap at all, but in my eyes, it seems to work un-encrypted and not when i trie with the encryption. So it would be either the port 636 or the certificate!? And the novell tells me that the 636 port is used to accept encrypted questions. Might it be a fault when i tried to decrypt the WIFITREE_CA.b64 to WIFITREE_CA.pem? Any other idears? (is there a nice/easy way to do it in linux? i downloaded a windowsprogram and ftp:ed it to the linux-server) (the freeradius also tells me like before that it cant get a tls-connection) Thx for all help this far!! /Mr G >From: "Reimer Karlsen-Masur, DFN-CERT" <[EMAIL PROTECTED]> >Reply-To: FreeRadius users mailing list > >To: FreeRadius users mailing list >Subject: Re: TLS cant connect ldap+freeradius+novell >Date: Fri, 20 Jul 2007 11:03:43 +0200 > >Hi. > >Martin G wrote: > > Subject of the novell-server-certificate is : O = WIFITREE > > OU = Organizational CA > >Well, that looks like the SubjectDN of your Novell CA certificate. You need >to put this CA certificate (no the pkcs#12/.p12 or the private key) in PEM >format into the file referenced by option tls_cacertfile. > > > And thats no FQDN!? > >No. > > > (I exported it from the novell as an .der and extracted it to see the > > subject, maby wrong way to do it? i havent exported the private key with > > either the .b64 or the .der and that shouldnt matter ?) > >You do *not* need the private key of your novell CA cert or your novell >ldap >server cert on your FreeRADIUS server. > > > *output from novell* > >This looks like a selfsigned root-CA certificate: > > > Subject name: OU=Organizational CA.O=WIFITREE > > Issuer name: OU=Organizational CA.O=WIFITREE > > Effective date: den 22 oktober 2005 23:04:08 > > Expiration date: den 22 oktober 2015 23:04:08 > > Certificate status: Valid > > > > Any idea how to type the FQDN !? :( > >You need to get a PEM formatted copy of this CA certificate (w/o private >key) and put that to the file referenced by option tls_cacertfile. > >And for ldapsearch put this certificate into /etc/ldap/ldap.conf as > >TLS_CACERT /etc/ldap/novell-ca-cert.pem > >-- >Beste Gruesse / Kind Regards > >Reimer Karlsen-Masur > >DFN-PKI FAQ: https://www.pki.dfn.de/faqpki >-- >Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 >DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 >Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 ><< smime.p7s >> >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html _
Re: The "right" way to limit a user to one EAP Type
On Mon, 2007-07-23 at 10:20 +0200, Artur Hecker wrote: > Hello > > > In the default configuration, if a User-Password is defined for a > user, the user can be authenticated by all applicable authentication > types. That is the sense and the beauty of the default configuration :-) > > However, in a practical deployment, a serious security policy is > likely to state the contrary: every user (or usergroup) should be > authenticated by exactly one authentication method. Why? Surely a method is either secure (in which case you'd let people use it) or insecure (in which case you'd let no-one use it)? I would consider our deployment "practical" (>20k users, almost 400 APs) and we don't care what method they use, as long as it's secure and generates keys. > > What is the "right" (recommended) way to do it? Could not find > anything on that in Wiki. (Would be glad to add it, when finished). Do you want to restrict everyone to a single EAP type, or different people/groups to different EAP types? > > > Background: I used to restrict users by explicitly setting for them > (their group) EAP-Type := something, according to the user profile. > However, as of 1.1.6, my wireless PEAP(-MSCHAPv2) user authentication > does not work anymore as before: the inner PEAP authentication fails > with "cannot tunnel TLS in TLS", most probably since the authorize > module (sql) sets EAP-Type := PEAP. It *may* be just me though. Yeah, don't do that. Have something like: authorize { preprocess eap files } in "users": # group "foo" must use PEAP DEFAULT My-Group == "foo", EAP-Type != PEAP, Auth-Type := Reject # group "bar" must use TTLS DEFAULT My-Group == "bar", EAP-Type != TTLS, Auth-Type := Reject My-Group might be populated using rlm_passwd, or you might use SQL-Group or LDAP-Group or whatever. However, this only restricts the outer EAP type, *AND* relies on the outer ID being the same as the inner ID i.e. you get no anonymous outer ID. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius
On Thu, Jul 19, 2007 at 09:14:28AM -0400, Nick Owen wrote: > On 7/19/07, Rascher, Markus <[EMAIL PROTECTED]> wrote: > > > > > > Hi All, > > > > is there a tutorial how to install mod_auth_radius on an apache 2.xx server? > > The howto on the freeradius webpage is a little bit deprecated i guess. > > i get an error when starting the apache server after installing > > mod_auth_radius: > > > > # service httpd start > > Starting httpd: httpd: Syntax error on line 205 of > > /etc/httpd/conf/httpd.conf: Cannot load > > /usr/lib/httpd/modules/mod_auth_radius-2.0.so into server: > > /usr/lib/httpd/modules/mod_auth_radius-2.0.so: undefined > > symbol: ap_snprintf > > [FAILED] > > You might try mod_auth_xradius. I have done a couple of apache + > radius + WiKID 2FA docs that might help: > http://www.wikidsystems.com/documentation/howtos/how-to-add-two-factor-authentication-to-apache/ > > http://www.howtoforge.com/apache_radius_two_factor_authentication > > The latter is more recent. I tried mod_auth_xradius but found it has a major bug where it won't let you configure more than one RADIUS server. When I tried mod_auth_radius-2.0 this built OK with my server but I couldn't figure what to put in httpd.conf to make it work. Has AuthAuthoritative been replaced by AuthBasicAuthoritative? If so, does anyone know how what the httpd config for apache2 should look like? -- Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Different Authentication for several devices (several Nas-Ip-Address)
Hello, Thank you for your help but I don't understand how you can make it. Here my configuration that I try: #Replae The Nas-Ip6address by Proxy-IP attr_rewrite overwrite_nasip { attribute = "NAS-IP-Address" searchfor = ".*" packet= packet replacewith = "10.28.65.130" max_matches = 1 } # Dev Eqpt : 192.168.48.0/24 attr_rewrite dev_equipment { attribute = "Calling-Station-Id" searchfor = ".*" packet= packet replacewith = "Dev" --> Replace String Dev for all Eqpts but not for 192.168.48.0/24!! max_matches = 1 } preproxy { files overwrite_nasip dev_equipment } Here what I want : 1. If [ NAS-IP-Address =~ 192.168.48.* ] Calling-Station-Id = Dev else if [ NAS-IP-Address =~ 192.168.49.* ] Calling-station-id = Prod else Calling-station-id = Any fi fi 2. the proxy forwards the access-request to the radius server 3. The radius server receives the acces-request If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id == Dev ] instance_openldap-Ldap-Group == CiscoDev else If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id = Prod ] instance_openldap-Ldap-Group == CiscoProd else instance_openldap-Ldap-Group == CiscoOthers fi fi Thank you for your assistance Nicolas. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TTLS session resumption
Hi! I wonder if Freeradius V1.1.3-2 supports TTLS session resumption and if yes how to configure that ? Thx, E -- El hadi ISKANDER - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: mod_auth_radius
Hi, is there anyone who used mod_auth_radius with apache 2.xx?? Von: [EMAIL PROTECTED] org [mailto:[EMAIL PROTECTED] eradius.org] Im Auftrag von Rascher, Markus Gesendet: Donnerstag, 19. Juli 2007 13:10 An: FreeRadius users mailing list Betreff: mod_auth_radius Hi All, is there a tutorial how to install mod_auth_radius on an apache 2.xx server? The howto on the freeradius webpage is a little bit deprecated i guess. i get an error when starting the apache server after installing mod_auth_radius: # service httpd start Starting httpd: httpd: Syntax error on line 205 of /etc/httpd/conf/httpd.conf: Cannot load /usr/lib/httpd/modules/mod_auth_radius-2.0.so into server: /usr/lib/httpd/modules/mod_auth_radius-2.0.so: undefined symbol: ap_snprintf [FAILED] Thanks for your answers. Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The "right" way to limit a user to one EAP Type
Hello In the default configuration, if a User-Password is defined for a user, the user can be authenticated by all applicable authentication types. That is the sense and the beauty of the default configuration :-) However, in a practical deployment, a serious security policy is likely to state the contrary: every user (or usergroup) should be authenticated by exactly one authentication method. What is the "right" (recommended) way to do it? Could not find anything on that in Wiki. (Would be glad to add it, when finished). Background: I used to restrict users by explicitly setting for them (their group) EAP-Type := something, according to the user profile. However, as of 1.1.6, my wireless PEAP(-MSCHAPv2) user authentication does not work anymore as before: the inner PEAP authentication fails with "cannot tunnel TLS in TLS", most probably since the authorize module (sql) sets EAP-Type := PEAP. It *may* be just me though. thanks artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html